WooCommerce Vulnerability Affects Millions of WordPress Sites

Maxoq

Well-known member
Registered
Joined
Feb 25, 2015
Messages
520
Points
28
A new article on Search Engine Journal here reports that WooCommerece just announced a patch for a critical vulnerability that is rolling out as a forced update. Publishers have been urged to check if they're updated.

woocommerce-vulnerability-affects-millions-wordpress-sites.jpg

WooCommerce has just announced it has patched a critical vulnerability affecting millions of users. Publishers using the WooCommerce plugin or the WooCommerce Blocks plugin are strongly urged to update their plugins if they have not already automatically updated.

"On July 13, 2021, a critical vulnerability concerning WooCommerce and the WooCommerce Blocks feature plugin was identified and responsibly disclosed by security researcher Josh via our HackerOne security program.

Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch to fix the issue for every impacted version (90+ releases), which was deployed automatically to vulnerable stores."
If you have a WooCommerce store, automatic software updates began rolling out on July 14, 2021, to all stores running impacted versions of each plugin. It's recommended you ensure that you're using the latest version. For WooCommerce, this is 5.5.1 or the highest number possible in your release branch. If you're also running WooCommerce Blocks, you should be using version 5.5.1 of that plugin.

After updating to a patched version, the company also recommends:
Updating the passwords for any Admin users on your site, especially if they reuse the same passwords on multiple websites
Rotating any Payment Gateway and WooCommerce API keys used on your site.

If your website didn't get the automatic update, That could be for a number of reasons, a few of the most likely are: you're running a version prior to one impacted (below WooCommerce 3.3), automatic updates have been explicitly disabled on your site, your filesystem is read-only, or there are potentially conflicting extensions preventing the update. In all cases (except the first example, where you are unaffected), you should attempt to manually update to the newest patched version on your release branch (e.g. 5.5.1, 5.4.2, 5.3.1, etc.)
 

Philippe Gaucher

Well-known member
Collaborate
Registered
Joined
Jul 27, 2016
Messages
184
Points
18
Best answer
I am updating WooCommerece, if you are using old version of WooCommerece, it should be updated immediately.
 

Asgard87

Member
Registered
Joined
May 31, 2020
Messages
61
Points
6
Agree with visualwebhost here..if you are updating WP and woocommerce versions regularly, it is not a big problem. In my earlier organization, I faced this issue initially because we were scared that we might lose on the new versions of updated plugins but that was taken away when we spoke to the support from our host (Bluehost India). They explained to us how to update without any loss on plugins, SEO data etc. It was quite simple to be honest but good to have a hosting provider who understands these nuances too.
 

DeeDeeHost

New member
Registered
Joined
Sep 1, 2021
Messages
6
Points
1
Other then making sure to avoid using purchased templates which lack fast updates as well as avoiding non popular WordPress plug-ins and by using a Child-template so your template(s) won't be affected by any WordPress core version updates;

1) Keep your WordPress core version up-to-date
2) Keep your WordPress plug-ins up-to-date
3) Keep your WordPress themes up-to-date
4) Use WordFence free plug-in version to monitor any suspicious WordPeress activity

* optionally, use a web hosting company with a Imunify360 panel to block all suspicious activity
 
Latest Threads
Replies
1
Views
24
Replies
0
Views
176
Replies
1
Views
37
Replies
2
Views
81

Latest postsNew threads

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top